The Food and Ag-ISAC released its latest publication, the Food and Ag Sector Cyber Threat Report, that employs the Predictive Adversary Scoring System (PASS) to identify key threat actors within the food and agriculture industry. It also details the primary tactics, techniques, and procedures (TTPs) these actors utilize in their cyber attacks. Additionally, the Food and Ag-ISAC has released its second industry report on ransomware trends, which will be updated quarterly throughout 2025.
The data was collected in collaboration with members and partners, including the IT-ISAC and other ISACs that are part of the National Council of ISACs. Members of the Food and Ag-ISAC benefit from access to collaborative adversary playbooks, where companies work alongside ISAC analysts to update playbooks with recent IOCs (indicators of compromise), TTPs, latest tools and exploits, and more.
The PASS tool was employed to analyze data from over 200 monitored threat actors. It is designed to identify which threat actors pose a significant threat to specific communities within the Food and Ag-ISAC and the IT-ISAC. Members of these ISACs have access to the tool and can use it to conduct similar internal assessments against their own intelligence.
The tool evaluates several key metrics to assess adversarial risk, including level of activity covering how recently the group has been active; frequency of sector targeting covering how often the adversary has targeted the sector in the past; sophistication/ impact dealing with the set of TTPs that demonstrate a level of sophistication or impact; and motivation addressing whether financial, geopolitical, ideological, or for recognition.
The Food and Ag-ISAC report said that after compiling a list of nearly 50 adversaries that have targeted the food and agriculture sector, a comparison was made of the techniques used by these groups to breach organizations. It also detailed several TTPs that demonstrate a level of sophistication and/or impact on affected organizations. Additionally, a summary of the techniques and best practices for organizational defense is provided.
Data revealed that about 90 percent of threat actor TTPs uses readily available tools or living off the land (LOTL) techniques; targeted spearphishing attacks were observed in about 83 percent of attacks against organizations; while 80 percent of these attacks involved the development of custom malware and tools.
The data highlights several critical trends in cyber threat hackers TTPs with approximately 90 percent of threat actors leverage readily available tools or employ living-off-the-land (LOTL) techniques, demonstrating a preference for stealth and efficiency. Additionally, targeted spear-phishing attacks were observed in 83 percent of incidents targeting organizations, underscoring its prevalence as a primary attack vector. Furthermore, 80 percent of threat hackers develop custom malware and tools, indicating a significant level of sophistication and adaptability in their operations.
The Food and Ag-ISAC data disclosed that about 70 percent of hacker TTPs employed stealthy exfiltration techniques along with lengthy persistence and defense evasion strategies. Around 65 percent utilized data encryption for impact, while 42 percent exploited zero-day vulnerabilities. Approximately 38 percent utilized modifying existing malware and tools, 25 percent opted for destructive tactics, 22 percent engaged in supply chain compromise, and 21 percent employed disruptive tactics.
The Food and Ag-ISAC report provided the sector with effective practices to defend against observed adversaries, as these practices can bolster defenses against the identified TTPs. Organizations must apply and consult vendor-recommended guidance for security hardening; implement application allowlisting and monitor the use of common LOLBins (Living-off-the-Land Binaries – trusted, pre-installed system tools used to spread malware and carry out their work); review CISA guidance on LOTL mitigation; enhance IT and OT network segmentation and monitoring; and implement authentication and authorization controls for human-to-software and software-to-software interactions, regardless of network location.
Employees should be trained to not open emails or download software from untrusted sources – verify the domain even if it seems like a legitimate software hosting site; not click on links or attachments in emails that come from unknown senders; and not provide passwords, personal information, or financial information via email to anyone (sensitive information is also used for double extortion). They must also always verify the email sender’s email address, name, and domain; report phishing emails to appropriate security or IT staff immediately; back up important files frequently and store them separately from the main system; protect devices using anti-malware, anti-spam, and anti-spyware software; and read and implement best practices from industry made cybersecurity guides.
In its second report ‘Farm-to-Table Ransomware Realities: Exploring the 2024 Ransomware Landscape and Insights for 2025,’ the Food and Ag-ISAC disclosed that ransomware attacks are spread out across all critical infrastructure sectors, and specific ransomware groups show a level of variability in their targeting. “While some companies might be specifically targeted, our research indicates that ransomware attacks are typically opportunistic. Ransomware operators will often scan the internet for publicly exposed and vulnerable systems, leverage initial access brokers, or offer their malware to other criminals through a ransomware-as-a-service (RaaS) model.”
For initial access, threat actors will search for organizations with publicly exposed and vulnerable systems, leverage phishing and social engineering attacks, or employ initial access brokers – cybercriminals and insiders who sell access to vulnerable networks.
While global law enforcement had a positive impact in deterring two major ransomware players, LockBit and ALPHV/BlackCat, several newer ransomware strains emerged in 2024 to fill the void. Reports show that several high-profile cybercriminal groups have begun partnering with ransomware actors. As such, the threat of ransomware should continue to be a concern for organizations across the critical infrastructure community, including the food and agriculture sector.
In 2024, the IT-ISAC and the Food and Ag-ISAC tracked 3,494 total ransomware incidents. Of these incidents, 212 were against the Food and Ag sector, which accounted for (5.8 percent) by volume of total attacks. In comparison, critical manufacturing (20.7 percent) and commercial facilities (17.3 percent) were the two sectors that saw the greatest number of attacks in 2024.
Food and Ag ranked number 6 out of the 11 sectors monitored in terms of ransomware attack volume. “This compares to 2023, when we noted 2,905 total ransomware incidents, with 167 targeting the Food and Ag sector (5.5 percent of total). While the total number of attacks increased in 2024, the sector was impacted by ransomware attacks at a fairly similar percentage between 2024 and 2023.”
Ransomware attacks can have consequences for the victim company’s suppliers or partners and a direct impact on the company itself. In the highly interconnected food and ag industry, a disruption in one company has the potential to trigger cascading impacts. Past incidents have highlighted the industry’s vulnerability to these disruptions and its resilience, as companies quickly adapt to maintain stability in the face of cyber threats.
For example, ransomware attacks could impact or disrupt processes along agricultural production lines. Any downtime caused by an attack could lead to a chain reaction of delays, potentially causing late planting or harvesting windows. As a result, crops may need to be palletized and moved to other regions during an active growing season. This is already done in cases of severe weather, such as droughts or flooding, but it is an expensive and taxing process that strains limited resources.
The report identified that ransomware poses other perils as well, such as the potential theft of intellectual property. “It can take many years to develop a product from inception to sale. If information gets stolen somewhere along this timeline, that amounts to years of lost work and value. The impact on genetic work can be particularly costly, as this field requires expensive equipment, laboratories, and employees.”
However, financial gain remains the primary motivation of ransomware actors. While specific ransomware groups may carry out multiple attacks against food and agriculture sector companies, they often target other sectors with similar or higher frequency.
The report said that it expects ransomware attacks to continue to increase across all industries in 2025. Financially-motivated attackers will continue to seek financial gain. As long as the risk of getting caught is low and the potential for a large payday is high, the threat will persist. Prominent cybercriminal groups with sophisticated capabilities continue to partner with RaaS operations, which will further proliferate attacks.
“A concerning uptick in ransomware attack volume in Q4 of 2024 appears to be continuing into 2025. Organizations should continue to monitor ransomware activity, understand who the major players are, and work to mitigate common initial access methods used to breach victim organizations,” the report added. “Double extortion will continue to be a normal process for most ransomware groups. In many cases, the stolen data from ransomware incidents can have more financial and reputational damages than the temporary disruptions due to encrypted systems. We expect ransomware to continue to steal sensitive data from organizations as a means to elicit a ransom payment.”
Also, groups like CL0P have continued to leverage zero-day vulnerabilities, especially those in file transfer applications. Ransomware groups will continue to leverage zero-day and recently disclosed vulnerabilities as a means to breach victims. Proof-of-concept exploits to critical vulnerabilities can appear rapidly after a vulnerability is disclosed and ransomware groups will quickly leverage these to impact victims who have not immediately patched or mitigated specific vulnerabilities. Organizations will need to continue to improve their vulnerability management and patch management.
Clearly, ransomware is a threat that doesn’t hold back – it targets all critical infrastructure. While the food and ag sector sees fewer attacks than other critical infrastructure sectors, it is still impacted. The percentage of observed attacks against the sector in 2024 remained consistent from 2023, but the sheer volume of ransomware attacks is concerning and shows no signs of slowing down.
“Attacks against the sector appear to remain opportunistic. Organizations should continue to improve their risk exposure as it relates to unpatched vulnerabilities and misconfigured systems and services exposed to the Internet,” the report added. “User training remains an essential tool in an organization’s defenses against ransomware attacks, as phishing emails, breached VPN credentials, and stolen credentials continue to be an initial access point for ransomware actors.”
